W3C Publishes Do Not Track Proposal

The W3C has proposed a standard for implementing the Do Not Track mechanism for both users and site owners, wading into what has become a contentious and fractious debate. The proposed standard, known as the Tracking Preference Expression, is designed to give users the ability to tell sites what data they can collect, and allow those sites to inform users what they collect, in turn.

The proposal is still in draft form at the moment, but it’s the first step toward a possible standard for helping users get a better handle on what data is being collected by the sites they visit, as well as the third-party sites that they may have marketing and data-sharing agreements with.

“The new standard will allow users to express a preference whether or not data about them can be collected for tracking purposes. This helps to establish a new communication channel between users and services to prevent surprises and re-establish trust in the marketplace. The standard will also define mechanisms for sites to signal whether and how they honor this preference and a mechanism for allowing the user to grant site-specific exceptions to DNT,” the W3C said in a statement.

The proposed standard itself defines the technical specifications of how a user-side and server-side DNT mechanism could work, and what each party should expect as they go about their business online. Some of the browser vendors, including Mozilla and Microsoft, have implemented their own version of Do Not Track in their applications in the last few months. But a standard from the W3C, if it comes, would provide an overarching way for others to implement the mechanism. Among the members of the W3C Tracking Protection Working Group are Adobe, Apple, Google, Microsoft, the Center for Democracy and Technology and Facebook.

“None of the participants in this Web of customization and targeted advertising want to offend the user. For advertisers, it is counterproductive. For Web site owners, it drives away their audience and income. For advertising networks, it leads to blocking and lost advertisers. Therefore, we need a mechanism for the user to express their own preference regarding cross-site tracking that is both simple to configure and efficient when implemented. Likewise, since some Web sites may be dependent on the revenue obtained from targeted advertising and unwilling (or unable) to permit use of their content without cross-site data collection, we need a mechanism for sites to alert the user to those requirements and allow the user to configure an exception to DNT for specific sites,” the proposed DNT standard says.

“This specification defines the HTTP request header field DNT for expressing a tracking preference on the Web, a well-known location (URI) for providing a machine-readable site-wide policy regarding DNT compliance, and the HTTP response header field Tracking for third-party resources engaged in dynamic tracking behavior to communicate their compliance or non-compliance with the user’s expressed preference.”

The W3C proposal does not contemplate how the user’s do not track preference is expressed in the browser or other user agent; that’s the purview of the application vendor. Instead, it’s concerned with how the browser and sites behave when the DNT mechanism is turned on or off. It also specifies how third parties and intermediaries should behave with respect to users’ preferences.

“An HTTP intermediary must not add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests. For example, an Internet Service Provider must not inject DNT: 1 on behalf of all of their users who have not selected a choice,” the proposal says.

About Dennis Fisher

Dennis Fisher is a journalist with more than 13 years of experience covering information security.

Comment (1)

w00t! it’s about time. privacy issues can only be dealt with by a (somewhat) impartial 3rd party with some amount of oversight. the vendors implementing whatever they want and passing it off as privacy protections is a joke.

In the second quarter of 2015 Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources. There were 5,903,377 registered notifications about attempte...

Innovative technologies are conquering the financial market, opening up new opportunities for startups. The volume of investment in projects for the banking sector is constantly growing, as is its pot...